Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Chester Wisniewski's nakedsecurity describes Wisniewski's specialty thus: "He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics." So he's obviously someone who might know a little about preventing future Target-style security debacles. We've also interviewed tech journalist Wayne Rash about this topic, and will probably interview another security expert or two. Many Slashdot users may find all this credit card security talk boring, but for those who handle security matters for a living, especially for retailers, it's vital information. So here's Tim Lord talking with Chet, who is a recognized security expert for Sophos, one of the big dogs in the IT security field, when Chet was in Texas for the latest iteration of Security B-Sides in Austin. (Alternate video link.)

Tim:So,
Chet we are here at BSides in Austin talking. Right now I want to
talk to you a little bit about credit cards chip-and-PIN, what is the
security problem that we are suddenly facing even more this year than
before?

Chet:Well,
I’m not sure that we’re facing it more now than before,
but certainly these high profile situations have drawn everybody’s
attention to it, which is a pretty common thing for the media to glom
on to something once finally something really large happens and we’ve
been tracking criminal gangs that are stealing credit data like it
happened at Target, Neiman Marcus, Michaels; all the stuff that’s
been in the news in the last three or four months. And when we look
at that stuff, we’re seeing maybe close to a hundred companies
a quarter of some variety or another, small, medium, big size,
getting hit with this type of stuff. So it’s not exactly new,
although largely been a bigger problem in the last three or four
years and I think it’s a public awareness thing that we just
didn’t know about this stuff and I guess 40 million credit
cards helped that along a little bit.

Tim:It’s
a much bigger PR problem now than it was not too long ago?

Chet:Well
it is and when you consider something like Target where so many
Americans shop, you also have to realize that congressmen shop at
Target, senators shop at Target and that also is drawing extra
attention to this and hopefully that’s one of the things that
can help reform the system to fix things in my opinion is, regulation
is a very dirty word in the banking industry, I don’t like
regulation and so the fact that a lot of very important people were
impacted by such a large breach means this isn’t just about
gamers and Sony and Anonymous like it was three years ago, now it’s
about our groceries and so it’s a bigger focus for Americans in
particular.

Tim:What
are some examples of regulation that you think would actually be
effective or what will be the most bang for the buck when it comes to
regulation that would actually keep people’s online
information, offline information in the form of cards. What would be
the best kind?

Chet:Well,
American has fallen behind the rest of the world in our credit card
technology in that we’re still relying on the stripes on the
back of these things, right, like we’ve got these cards on our
wallet, which is this simple magnetic stripe, which is 1960s
technology, that we are depending on for security of our transactions
when we are purchasing our groceries and I think that’s
probably one of the focus areas that may happen if regulators get
interested, which is what is the minimum amount of diligence required
of both the payment card industry, the merchants, all the people
involved in a credit card transaction, to really safeguard that
information, is that magnetic stripe enough, and I think clearly it’s
not.

When
we look at the western world, the United States is one of the only
countries that still has not implemented cryptographic security
measures in our card payment systems, and that’s coming, but
the question is, do you want the government involved or do you do it
voluntarily and I suspect that similar to the movie industry deciding
it’s better that they decide what’s rated ‘R’
rather than the government that perhaps the payment card industry
also would rather decide how to implement chip-and PIN technology
rather than the government prescribing it.

Tim:Now
one thing I have heard you talk about before is that there is a
considerable difference between what is projected to be implemented
in the U.S and what is already in place in some other countries, can
you talk about that?

Chet:Sure,
I’m American, but I’ve been living in Canada for more
than 10 years and here’s an example of a credit card that is no
longer valid, but you see the chip that’s located on the card
and that chip does not necessarily – people associate that with
this concept of chip-and PIN, meaning just like your debit card or
your ATM card when you use that chip in a payment terminal, that you
have to enter in a secret ID code in order to authorize a
transaction.

It
looks like the United States is actually working towards something
called chip-and-signature where we still depend on this – I’m
going to partially obscure the signature on the back here, it’s
my wife’s signature, she would not be very happy with me if I
show the entire thing on camera – but the signature on the back
of our cards still being used but with the cryptographic chip and I
personally have a problem with this, in that it seems a bit odd to me
because as a merchant, as the local flower shop or the Pizza joint,
I’ve got to buy a new terminal to read that chip, costs me some
money or I have to do a lease with my company I do my payment
transactions with. It’s going to be of somewhat a burden on me
to accept credit cards.

If
I’m the bank, I’m Bank of America, I’m Chase, I’m
Wells Fargo, I’ve got a issue, everybody, brand new cards now,
they have a chip and then that’s certainly more expensive than
cards that don’t contain a chip. And yet, we’re only
getting half the benefit if we are still relying on the checkout
people say at our local supermarket to check our signatures and I
know most of you have not seen that in a long time. I mean, here
we’re at this conference, I actually have my ID checked for
being allowed to drink a beer today, I’m a bit old for that,
but strangely in America, right, we check ID to buy a beer in Texas,
but yet, I made credit card transactions all over Austin in the last
two days and no one asked for my ID to check my signature or even
looked at the back of my card. So, relying on signature as a
verification method seems to me to be a mistake, but moving towards
chip does still help solve the problem, so anything that moves us
forward from where we are at today with the stripes is a good thing.

Tim:One
thing I’ve seen you demonstrate before is, how relatively
simple it is to extract a lot of information that is actually in
fairly plain text or on the back of cards, so what does it cost right
now if you want to criminally extract some information, how easy is
that process?

Chet:It’s
incredibly easy. I mean, if we’re looking at – I have got
all these cards here and if we are looking at the stripes on these
cards and we’re just looking at reading those stripes, on eBay
you can pick up a reader for about $15, it depends on which country
you’re in, actually I think I paid about $12 for the one I use
in the demonstration and my talk here at BSides.

Tim:Square
will send you one for free?

Chet:Well,
to a degree the Square readers do not output a plain text or
unencrypted, well it’s not encrypted but it’s obscured
and so it’s not exactly useful as a criminal compared to a
pocket skimmer as what most criminals would use, say if you’re
a waitress that’s not quite making enough making at –
whatever the minimal wage for waitresses is now, $4 an hour or
something, right.

Tim:I
think that’s high actually

Chet:May
be $3 something, I don’t remember. But you can have something
in your pocket very easily, scan cards from people and pocket
skimmers can be upwards of $40 or $50, the one like I used in my
demonstration like $12 or $15, unfortunately because I’m in
Canada and shipping is outrageous, it cost me like $25, big burden in
order to steal credit cards. But, it’s cheap, right, this is
trivial and unfortunately to a degree, the chips in our cards if we
implement them, don’t necessarily solve that particular
problem. But what they do is, they make it difficult to reproduce, so
if you go to a merchant and you’re expected to insert your card
with that cryptographic chip, it’s very difficult as a criminal
to reproduce that chip and make one or stealing data off the chip,
what good does it do you; if you can’t make a chip, you’ve
just got the data, but they still can’t do a transaction.

Tim:Whereas
for online transactions I don’t have a reader on my desktop or
laptop?

Chet:Yeah,
that’s still an unsolved problem, in Europe in particular some
banks actually have introduced USB based little readers that you are
supposed to insert your card with a chip into to do online
transactions. It’s totally flopped, people don’t like the
thing, it’s inconvenient, who carries that with their laptop,
how do I buy it for my iPad, like there’s a million problems
with it. So I don’t think it’s an unsolvable problem, but
it is still an unsolved problem in that there’s not been a good
method of doing that.

Now,
the fraud we’re talking about in particular is what we call
retail fraud and in countries like the United Kingdom that have had
chip-and-PIN for some time, retail fraud was reduced 80% by the
introduction of the chip instead of the stripe. So it’s
addressing one problem, but it does a pretty good job of addressing
that problem, and that’s the way we need to approach most
problems in life, right, like we have to chip away, we never have an
total solution to any given problem, how do we eliminate the
password, right, I mean, nobody wants to have 50 million passwords
for 50 million websites. And the way we deal with this is keep trying
to find better and better ways to make it a little easier to do the
right thing.

Tim:I’ve
had my card in the chunk machine at least once in the last year where
it’s actually physically just rolled over the carbon?

Chet:Really.
Yeah, I mean that still happens. And the alternative to that are
things like Square, and I don’t necessarily want to criticize
any given brand or a company for – I don’t think Square
does anything wrong, but it’s another one of those things. I
get in a taxicab here in the U.S. and I’m always torn when it’s
Square because I’m like that means it’s a small business
guy who probably owns his own car, and I really want to respect that,
that he is not part of yellow cab with a fancy $400 credit card
machine built into his car. He’s just making a go of it with
his iPhone and that’s pretty cool.

But
on the other hand, I also know the protections and the ability to
commit fraud that way seem in my opinion larger, right, because one
of the problems in particular with stripes on cards like we have here
in the U.S. is a replay attack. The ability that I can take that
information that was used for a transaction and play it over-and-over
again and repeat that transaction, because cryptographically there’s
nothing to prevent that, and that’s another benefit of things
like the chip where it’s using a digital signature which
conceptually is of similar in mind to the way SSL works in your web
browser, in that there is public and private keys and transactions
are signed and replaying them does you kind of no good as a criminal.

I
haven’t tried this, but I suspect Square is making an audio
sound into the microphone in your iPhone, so what’s stopping me
from swiping and recording that on the recorder sound app on my
iPhone and replaying it when I want to make it to purchase again and
then changing the amount or something else, because all the
information coming in through that connection is simply what’s
called the PAN or the 16 digits on the front of your card, and the
expiration date and a little bit of other data. So it’s got
nothing to do with what I’m buying, so it might have been a
taxicab ride today, but later tonight it might be a $200 bottle of
scotch and I don’t know anything about that. Trust me I know
nothing about the scotch.

Tim:A
few minutes ago we were also talking about the perception difference
when it comes to a place like the giant Target breach. That seems
like a company that really should, just for its sheer size and
salaries they are paying, probably lot of people who are working
hard, large security staff, you think that that wouldn’t be the
place compared to your corner store. But that’s not necessarily
how it actually is?

Chet:Yeah,
unfortunately I mean it does play out across the board, I don’t
want to give the wrong impression and say that the flower shop that’s
owned by your sister’s cousin actually is safer than Target,
because all of these organizations have been victimized and actually
I didn’t point it out in my talk which I usually do when I talk
about these things, which is kind of – how do you if you are a
target, the way you know you are a target is that you accept a credit
card, like that’s how you know you are a target, right.
Criminals are indiscriminate. They don’t care. They don’t
discriminate. Wherever they can steal money, they’re going to
steal money. And this is for easy money for them.

But
on the other hand, this perception also that you’re a Fortune
500 company and you have the security staff of 100, you obviously are
more secure and safer than the local pizza shop. And that’s not
necessarily true either, right, and in particular we actually advice
if there’s people out there that accept payment cards are
concerned about these problems, use a payment card terminal that
directly communicates with your payment card processor, that does the
encryption inside the payment card terminal, put a sticker on the
seams to make sure nobody is modified it, or can modify it without
your knowledge, and then this whole problem goes away.

You
don’t have to worry about regulation, you don’t have to
worry about compliance, let your payment card processor worry about
it, and they truly are professionals at it, and a few of them have
made mistakes in the past and then breached, and they’ve all
learned a very expensive lesson from that problem and have really
shaped up security, and clearly with Target in mind I’m sure
there’s lots of changes of course at Target as well, but
probably one of the safest places to shop moving forward considering
what happened. But this idea that it’s a big brand, right.

Sony
was breached by Anonymous. Who is Anonymous? I mean, a ragtag group
of hackers, if you will, right. We don’t know who they are, but
you could call them political activists. They weren’t
necessarily even skilled hackers. The fact that a Sony can fall to
this and a Target can fall to this means, that brand doesn’t
have that much to do with it, and strangely I guess to a degree, I
also kind of ignore it, which May seem like bad advice, but you got
to get on with life. We can’t be obsessed with worrying about
our credit card all the time. Fortunately we have great protection
from the banks. They usually cover fraud when it happens, but you
need to be vigilant, you got to watch that statement knowing that
$200 bottle of scotch showed up that you did not buy, I did not buy
that. And if you do know that, report it to your bank, they’ll
generally cover you.

So
you got to get on with life, but do watch for the suspicious. When
you go to the ATM, my advice is, give it a wiggle, check the thing
where you’re putting the card into the slot, make sure it
doesn’t move because it could be a skimmer. If it moves, go
find another one that’s probably only 10 yards over, just use a
different one, right. And when I’m at a restaurant and the
waitress wants to take the card in the back. No, sorry, you are not
taking my card out of my sight, like if you need I can walk with you
over to the terminal where you do this and just swipe the card, I’ll
sign it and then I could be on when I’m ready and I’m
finished with my drinks with my friends, whatever it is. Be smart, be
vigilant, but don’t be paranoid. You are protected largely and
these things are a little scary. I mean, 40 million people being
impacted is a big deal. We’re all learning lessons from this,
and we’re getting better at it.

Until transactions are performed through a bank run broker such that the retailer NEVER GETS THEIR PAWS ON ACCOUNT CREDENTIALS, it's all a waste of time. I blame the banks; Target episodes are inevitable as long as the banks fail to provide an alternative to having retailers schlep around account credentials.

Until transactions are performed through a bank run broker such that the retailer NEVER GETS THEIR PAWS ON ACCOUNT CREDENTIALS, it's all a waste of time. I blame the banks; Target episodes are inevitable as long as the banks fail to provide an alternative to having retailers schlep around account credentials.

Interestingly, the US is the only place in the world not to implement Chip and PIN, which basically keeps retailers from getting their paws on account credentials. There's a move to chip, but PIN is being avoided, which means that it STILL won't be secure.

And why is this hard? About 10 years ago I had a credit card that offered a website. It would let you generate a new credit card number at any time that was only good for up to a certain amount. So you didn't have to give away the keys to the kingdom just to place a little purchase. But they shut it down and I haven't seen anything like it in years.

What I would like is a trusted hardware token (like a SecureID card) that I carry in my pocket. When the POS terminal requests a payment, it transmits the

About 10 years ago I had a credit card that offered a website. It would let you generate a new credit card number at any time that was only good for up to a certain amount.

About 10 minutes ago, I did exactly that with
Bank of America's ShopSafe [mbnashopsafe.com] -- not that they're the only one around. But I've used them for years and it works great.

You log into the website and select your supporting credit card. Then you find the (Mostly hidden? Why??) option and tell it the maximum dollar amount and the max numbers of valid months. It generates a new CC number and CSC with the limits you specify. The first vendor who uses the card is linked to the card so no one else can use it again.

The majority of POS terminals in the wild run Windows XP. This is unlikely to change anytime soon, so I have no idea how Windows XP's official retirement in a few days time will play out as none of the retailers I work with intend to change their tills. This isn't surprising (to people who support POS terminals), as we still see terminals running Windows NT4 (!!!!!!!).

Our advice to retailers is to always have their tills on a separate non-internet facing network. No one really does this though....

Broken. Right there. The only worthwhile solution has no transfer of payment instrument credentials. None, ever. No numbers, no PINs, no CVVs, no expiration dates. Nothing.

That's done with a broker. That's how Paypal works and that's how Bitcoin works. The fact that credit cards don't work that way is indifference on the part of banks. Banks fail to provide and alternative to handing over the keys to random and sundry knuckleheads and their insecure systems.

Because it's so simple to authenticate all parties to the broker. Now we've gone from trusting the merchant, the shopper, and the bank, to trusting the merchant, shopper, bank, and broker. That's the problem here: every solution that relies on trust instead of hardware cryptographic implementations is equally broken.

The smart cards in the EMV system are indeed the way to go, because they are issued by the bank, and your bank stores your account's secret in them. The bank's trust never leaves the bank's sys